Efficient Malware Detection using Model-Checking Tayssir Touili - - PowerPoint PPT Presentation

Efficient Malware Detection using Model-Checking

Tayssir Touili LIPN, CNRS & Univ. Paris 13

Motivation: Malware Detection

• The number of new malware exceeds 75 million by the end of 2011, and is still

increasing.

• The number of malware that produced incidents in 2010 is more than 1.5 billion.
• The worm MyDoom slowed down global internet access by 10% in 2004.
• Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a

central computer system used to monitor technical problems in the aircraft was infected with malware

Motivation: Malware Detection

• The number of new malware exceeds 75 million by the end of 2011, and is still

increasing.

• The number of malware that produced incidents in 2010 is more than 1.5 billion.
• The worm MyDoom slowed down global internet access by 10% in 2004.
• Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a

central computer system used to monitor technical problems in the aircraft was infected with malware

Malware detection is

important!!

Limitations of classic anti-virus techniques

• Signature (pattern) matching: Every known malware

has one signature

Limitations of classic anti-virus techniques

• Signature (pattern) matching: Every known malware

has one signature

• Easy to get around
• New variants of viruses with the same behavior cannot

be detected by these techniques

• Nop insertion, code reordering, variable renaming, etc
• Virus writers frequently update there viruses to make

them undetectable

Limitations of classic anti-virus techniques

• Signature (pattern) matching: Every known malware

has one signature

• Easy to get around
• New variants of viruses with the same behavior cannot

be detected by these techniques

• Nop insertion, code reordering, variable renaming, etc
• Virus writers frequently update there viruses to make

them undetectable

• Code emulation: Executes binary code in a virtual

environment

Limitations of classic anti-virus techniques

• Signature (pattern) matching: Every known malware

has one signature

• Easy to get around
• New variants of viruses with the same behavior cannot

be detected by these techniques

• Nop insertion, code reordering, variable renaming, etc
• Virus writers frequently update there viruses to make

them undetectable

• Code emulation: Executes binary code in a virtual

environment

• Checks program’s behavior only in a limited time interval

Limitations of classic anti-virus techniques

• Signature (pattern) matching: Every known malware has one

signature

• Easy to get around
• New variants of viruses with the same behavior cannot be detected by

these techniques

• Nop insertion, code reordering, variable renaming, etc
• Virus writers frequently update there viruses to make them undetectable
• Code emulation: Executes binary code in a virtual environment
• Checks program’s behavior only in a limited time interval

Solution:

Check the behavior (not the syntax) of the program without executing it

Limitations of classic anti-virus techniques

• Signature (pattern) matching: Every known malware has one

signature

• Easy to get around
• New variants of viruses with the same behavior cannot be detected by

these techniques

• Nop insertion, code reordering, variable renaming, etc
• Virus writers frequently update there viruses to make them undetectable
• Code emulation: Executes binary code in a virtual environment
• Checks program’s behavior only in a limited time interval

Solution:

Check the behavior (not the syntax) of the program without executing it

Model Checking is a good candidate

Goal: Model-checking for malware detection

Goal: Model-checking for malware detection

Binary code ╞ Malicious behavior ?

Goal: Model-checking for malware detection

Binary code ╞ Malicious behavior ? Model?

Goal: Model-checking for malware detection

Binary code ╞ Malicious behavior ? Model? Specification

formalism?

Goal: Model-checking for malware detection

Existing works: use finite automata to model the programs Binary code ╞ Malicious behavior ? Model? Specification

formalism?

Goal: Model-checking for malware detection

Existing works: use finite automata to model the programs

Stack?

Binary code ╞ Malicious behavior ? Model? Specification

formalism?

Stack: important for malware detection

• To achieve their goal, malware have to call functions of

the operating system

• Antiviruses determine malware by checking the calls

to the operating systems.

• Virus writers try to hide these calls.

Stack: important for malware detection

• To achieve their goal, malware have to call functions of

the operating system

• Antiviruses determine malware by checking the calls

to the operating systems.

• Virus writers try to hide these calls.

L0 : call f L1: … … … f : function f L0 : push L1 L’0: jmp f L1: … … … f : function f

Stack: important for malware detection

• To achieve their goal, malware have to call functions of

the operating system

• Antiviruses determine malware by checking the calls

to the operating systems.

• Virus writers try to hide these calls.

L0 : call f L1: … … … f : function f L0 : push L1 L’0: jmp f L1: … … … f : function f

Important to analyse the program’s

stack

Stack: important for malware detection

• To achieve their goal, malware have to call functions of

the operating system

• Antiviruses determine malware by checking the calls

to the operating systems.

• Virus writers try to hide these calls.

L0 : call f L1: … … … f : function f L0 : push L1 L’0: jmp f L1: … … … f : function f

Important to analyse the program’s

stack

Solution:

Use pushdown systems to model programs

Goal: Model-checking for malware detection

Binary code ╞ Malicious behavior ? Pushdown Systems Specification formalism?

Goal: Model-checking for malware detection

Binary code ╞ Malicious behavior ? Pushdown Systems

Specification formalism?

Specification of malicious behaviors? Example: fragment of email worm Avron

Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its

• wn executable.

Copy itself to other locations. mov eax, 0 push eax call GetModuleHandleA

Specification of malicious behaviors? Example: fragment of email worm Avron

Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its

• wn executable.

Copy itself to other locations. mov eax, 0 push eax call GetModuleHandleA

How to describe this specification?

Specification of malicious behaviors? Example: fragment of email worm Avron

mov eax, 0 push eax call GetModuleHandleA

In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA)

Specification of malicious behaviors? Example: fragment of email worm Avron

mov eax, 0 push eax call GetModuleHandleA

In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA) EX p: there is a path where p holds at the next state p EX p

Specification of malicious behaviors? Example: fragment of email worm Avron

mov eax, 0 push eax call GetModuleHandleA

In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX call GetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX call GetModuleHandleA) ˅ ….. all the other registers EX p: there is a path where p holds at the next state p EX p

Specification of malicious behaviors? Example: fragment of email worm Avron

mov eax, 0 push eax call GetModuleHandleA

In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX call GetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX call GetModuleHandleA) ˅ ….. all the other registers EX p: there is a path where p holds at the next state p EX p

Huge!

Specification of malicious behaviors? Example: fragment of email worm Avron

mov eax, 0 push eax call GetModuleHandleA

In CTL: mov(eax,0)˄EX (push(eax)˄EX callGetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX callGetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX callGetModuleHandleA) ˅ ….. all the other registers

∀ ∃,

CTPL = CTL + variables +

Specification of malicious behaviors? Example: fragment of email worm Avron

mov eax, 0 push eax call GetModuleHandleA

In CTL: mov(eax,0)˄EX (push(eax)˄EX callGetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX callGetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX callGetModuleHandleA) ˅ ….. all the other registers

∀ ∃,

CTPL = CTL + variables + In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA))

Specification of malicious behaviors? Example: fragment of email worm Avron

mov eax, 0 push eax call GetModuleHandleA

In CTL: mov(eax,0)˄EX (push(eax)˄EX callGetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX callGetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX callGetModuleHandleA) ˅ ….. all the other registers

∀ ∃,

CTPL = CTL + variables + In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA))

CTPL cannot describe the stack:

needed for malicious behaviors description

Specification of malicious behaviors? Example: fragment of email worm Avron

In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA))

mov eax, 0 push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its

• wn executable.

Copy itself to other locations.

Specification of malicious behaviors? Example: fragment of email worm Avron

In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA))

mov eax, 0 push ebx pop ebx push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its

• wn executable.

Copy itself to other locations.

Specification of malicious behaviors? Example: fragment of email worm Avron

In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA))

mov eax, 0 push ebx pop ebx push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its

• wn executable.

Copy itself to other locations.

Our solution: Consider predicates over the stack

Specification of malicious behaviors? Example: fragment of email worm Avron

In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA))

mov eax, 0 push ebx pop ebx push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its

• wn executable.

Copy itself to other locations.

Our solution: Consider predicates over the stack In SCTPL: EF ( call GetModuleHandleA ˄ (head_stack = 0) ) EF p: there is a path where p holds in the future

Expressing Obfuscated Calls in SCTPL

L0 : call f L: … … … f : function f L0 : push L L’0: jmp f L: … … … f : function f

Expressing Obfuscated Calls in SCTPL

L0 : call f L: … … … f : function f L0 : push L L’0: jmp f L: … … … f : function f ᴲL ( E !( ᴲ f call(f) ˄ AX (head_stack=L)) U (ret ˄ (head_stack= L)))

Expressing Obfuscated Calls in SCTPL

L0 : call f L: … … … f : function f L0 : push L1 L’0: jmp f L: … … … f : function f ᴲL ( E !( ᴲ f call(f) ˄ AX (head_stack=L)) U (ret ˄ (head_stack= L))) L is not a return address of a function call

Expressing Obfuscated returns in SCTPL

L0 : call f a : … … f: … … pop eax jmp eax

h_s= a h_s= a

h_s : head-stack

!

Expressing Appending Viruses in SCTPL

L0 : call f a : … f: pop eax

An appending virus append itself at the end of the host file The virus has to compute its address in memory

h_s = a h_s = a

h_s : head-stack

Goal: Model-checking for malware detection

Binary code ╞ Malicious behavior ?

Goal: Model-checking for malware detection

Binary code ╞ Malicious behavior ? Pushdown Systems SCTPL

Goal: Model-checking for malware detection

Binary code ╞ Malicious behavior ? Pushdown Systems SCTPL Pushdown System╞ SCTPL ?

SCTPL model-checking for Pushdown Systems Non trivial: stack can be unbounded

SCTPL model-checking for Pushdown Systems Non trivial: stack can be unbounded Theorem: Given a Pushdown System P and a SCTPL formula ᵠ, whether P satisfies ᵠ can be effectively decided.

Implementation

We implemented our techniques in a tool for virus detection IdaPro + Jakstab CFG Binary Code Translator PDS Model-checking engine Malware behaviors as SCTPL formulas YES/NO

Experiments of POMMADE

• 1. Our tool was able to detect more than 800 malwares

2.We checked 400 real benign programs from Windows XP system. Benign programs are proved benign with only three false positives. 3.Our tool was able to detect all the 200 new malwares generated by two malware creators 4.Analyze the Flame malware that was not detected for more than 5 years by any anti-virus

Our tool vs. known anti-viruses

NGVCK and VCL32 malware generators 1.generate 200 new malwares 2.the best malware generators 3.generate complex malwares

Gener ator No. Of Vari ant s PO MM

ADE

Avi ra Kasp ersk y Ava st Qiho

• 360

McA fee AVG BitDef ender Eset Nod3 2 F- Sec ure Nort

• n

Pan da Tre nd Micr

• NGVC

K

100 100 % 0% 23% 18 % 68% 100 % 11% 97% 81% 0% 46% 0% 0%

VCL32 100 100

% 0% 2% 100 % 99% 0% 100 % 100% 76% 0% 30% 0% 0%

Analyze The Flame Malware

Flame is being used for targeted cyber espionage in Middle Eastern countries. It can 1.sniff the network traffic 2.take screenshots 3.record audio conversations 4.intercept the keyboard 5.and so on

It was not detected by any anti-virus for 5 years

Analyze The Flame Malware

Flame is being used for targeted cyber espionage in Middle Eastern countries. It can 1.sniff the network traffic 2.take screenshots 3.record audio conversations 4.intercept the keyboard 5.and so on

It was not detected by any anti-virus for 5 years

Our tool can detect this malware Flame

Conclusion

• We introduced a new logic SCTPL to precisely specify malicious

behaviors

• We proposed efficient SCTPL model-checking algorithms for

pushdown systems.

• We implemented our techniques in a tool for malware detection:

POMMADE

• POMMADE was able to detect more than 800 malwares, several
• f them cannot be detected by well-known anti-viruses, such as,

Avast, Kaspersky, McAfee, Norton, Avira, etc

Questions?